[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN106201872A - A kind of running environment detection method of android system - Google Patents

A kind of running environment detection method of android system Download PDF

Info

Publication number
CN106201872A
CN106201872A CN201610523168.XA CN201610523168A CN106201872A CN 106201872 A CN106201872 A CN 106201872A CN 201610523168 A CN201610523168 A CN 201610523168A CN 106201872 A CN106201872 A CN 106201872A
Authority
CN
China
Prior art keywords
instruction
address
android
running environment
android system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610523168.XA
Other languages
Chinese (zh)
Inventor
文伟平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Devsource Technology Co Ltd
Original Assignee
Beijing Devsource Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Devsource Technology Co Ltd filed Critical Beijing Devsource Technology Co Ltd
Priority to CN201610523168.XA priority Critical patent/CN106201872A/en
Publication of CN106201872A publication Critical patent/CN106201872A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3664Environments for testing or debugging software

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses the running environment detection method of a kind of android system, the characteristic utilizing cache memory cache is Android simulator or Android prototype to detect the running environment of current android system;Including step: perform an instruction on the address of any one address, be set to old instruction;Writing a new instruction to $ address, new instruction is different from old instruction;Again perform the instruction of $ address;According to step 3) instruction execution result, obtaining performed instruction is new instruction or old instruction, and the running environment thus detecting current android system is Android simulator or Android prototype.The technical scheme that the present invention provides can effectively and easily reach to detect the purpose of android system running environment.

Description

A kind of running environment detection method of android system
Technical field
The present invention relates to field of information security technology, particularly relate to the running environment detection method of a kind of android system.
Background technology
Along with the arrival of mobile Internet, Mobile solution exploitation is the most like a raging fire.Increase income because Android platform has Free feature so that the market share of Android platform is greatly improved, but this give that manufacturer and user bring convenience same Time also bring potential safety hazard.Current phone customer volume increases increasingly faster, especially China, and cellphone subscriber's amount has surpassed 1,000,000,000, The Chinese of the most about 75% have the mobile phone of oneself.Just because of mobile phone is more and more intelligent, carries and be also convenient for, therefore many people Privacy information is stored on mobile phone, and intangibly comes into the open under the scene of many places, and these information many virus authors just Made earnest efforts.Malicious attacker, by running Android software at simulator, carries out certain operations the most again to trigger to software Malicious act as much as possible, is then outputted in log, then carries out maliciously analyzing, in order to subtract further to daily record by script Few this kind of event occurs, more and more important for the security study in Android mobile terminal.
Android system is divided into four layers, the one layer of offer service on which of each layer.The bottom is linux kernel, last layer For Android class libraries and Android running environment, its last layer is application framework, and the superiors are application program.Wherein, Android running environment includes Dalvik VM and java class storehouse.Although Android core is linux kernel, but its Most of programs are Java exploitations, are run by DalvikVM.All of .class file and .jar file are by SDK DX tool change becomes .dex form, when .class file is compiled by DX instrument, can remove the redundancy of the inside, and all .class in integrating documents to file, improve performance, DX instrument also can carry out performance optimization to .dex file simultaneously, then .dex file is run by Dalvik virtual machine.
The opening of Android also attracted while attracting numerous assailants widely security study personnel to its safety Property enhancing work expand many research, and existing a lot of reality achievement.Research worker proposes based on Intel Virtualization Technology Safe enhanced scheme.Pass through Intel Virtualization Technology, it is achieved public and private separation and Platform integration, and owing to virtual machine monitor has More higher authority than operating system, it is possible to utilize it to complete the monitoring of platform behavior and management and control, thus improve whole system Safety.
Android simulator brings great convenience for exploitation debugging application software, but assailant can be used to disliking Meaning analyzes software.How to judge the running environment that Android application software is current, become the most issued application software of protection A kind of mode.
Detecting Android application software current operating environment, current existing main flow is sentenced method and is included: (one) examines Survey the method judging IMEI;Android prototype has unique IMEI number, and Android simulator is taken out is a string 0, But, the IMEI of present simulator can revise;(2) method judging mac address is detected;Simulator the most all only has Fixing several mac addresses, but, by some softwares, can also be modified in the mac address of simulator now.Therefore, Existing above two method, is all difficult to the real safety to Android application software current operating environment and carries out accurately Detection, it is difficult to realize the most issued Android application software is carried out safeguard protection.
Summary of the invention
In order to overcome above-mentioned the deficiencies in the prior art, the present invention provides the running environment detection side of a kind of android system Method, the method characteristic based on cache memory cache detects Android simulator, it is judged that current Android system The running environment of system is Android prototype or Android simulator, prevents malicious attacker from utilizing simulator to dislike with this Meaning analyzes software.
The principle of the present invention is:
More levels of cache memory cache can be there is between CPU and internal memory to accelerate, instruction buffer is got up, keep away Exempt from the internal memory of low speed to go instruction fetch again.Android phone is ARM framework (Advanced RISC mostly now Machine, Advanced Reduced Instruction Set machine), ARM framework is 32 compacting instruction set processor frameworks, and it makes widely It is used in many Embedded System Design, in ARM framework, has two-stage cache, but ARM divide into the cache of wherein one-level Parallel two pieces, are that the speed buffering of the cache memory cache and storage data that store programmed instruction specially is deposited respectively Reservoir cache, this storage by programmed instruction is referred to as Harvard framework (Harvard with the separate memory construction of data storage Architecture), and what program instruction memory and data storage combined it is von Karman structure (von Neumann architecture).Android SDK (Software Development Kit, SDK at present Bag) simulator that provides is a set of to be drawn (Fabrice Bellard) to be named by Fabris shellfish based on QEMU, QEMU Write with the analog processor of GPL license distribution source code, GNU/Linux platform uses extensively, QEMU is one and opens The software of the analog processor in source, and simulator is the cache being not separated by, i.e. the speed buffering of simulator only one of which monoblock Memorizer cache.In Harvard framework, the two cache is not to synchronize, and therefore the data value of a particular address is at one Cache memory cache have updated, but at another cache memory cache without being updated.Example In toward the cache memory cache of storage data, write data, the cache memory cache of storage instruction is These data will not be write.The present invention i.e. utilizes Android simulator and Android prototype at cache memory The difference of cache structure, by performing some instructions, ties cache memory cache according to last execution result Structure judges, it is achieved detects the two and reaches the purpose distinguished.
Present invention provide the technical scheme that
The running environment detection method of a kind of android system, utilizes the characteristic of cache memory cache to detect Current operating environment is Android simulator or Android prototype;Comprise the steps:
1) on the address of any one address, perform an instruction, be set to old instruction;
2) to address above mentioned address write a new instruction, described new instruction and step 1) described old instruct different;
3) instruction of address above mentioned $ address is again performed;
4) according to step 3) described instruction execution result, obtain step 3) performed by instruction be described new instruction or institute State old instruction;When step 3) performed by instruction be described old instruction, the running environment of current android system is prototype;When Step 3) performed by instruction be described new instruction, the running environment of current android system is Android analog machine.
Compared with prior art, the invention has the beneficial effects as follows:
Running environment for android system detects, and existing Android simulator detection method is mainly from spy Fixed system value makes a distinction, and such as, uses getDeviceId (), getLine1Number () this class function etc.;And this The method that method provides then is distinguished Android prototype from the architectural characteristic of cache memory cache and is simulated with Android Device, effectively and has easily reached the purpose of the running environment detection of android system, has had novelty.
Accompanying drawing explanation
Fig. 1 is the FB(flow block) of the running environment detection method of the android system that the present invention provides.
Fig. 2 is Android prototype instruction execution flow block diagram.
Fig. 3 is Android simulator instruction execution flow block diagram.
Detailed description of the invention
Below in conjunction with the accompanying drawings, further describe the present invention by embodiment, but limit the model of the present invention never in any form Enclose.
The present invention provides the running environment detection method of a kind of android system, utilizes cache memory cache's It is Android simulator or Android prototype that characteristic detects current operating environment.The Android phone of currently the majority Dou Shi Harvard framework (Harvard architecture), divide into parallel two the cache of two-stage cache wherein one-level Block, is to store the cache memory cache of programmed instruction specially and store the cache memory of data respectively cache.These two pieces of parallel cache are not to synchronize, and therefore the data value of a particular address is a caches Device cache have updated, but at another cache memory cache without being updated.Fig. 2 is that Android is true Machine instruction execution flow block diagram.Fig. 3 is Android simulator instruction execution flow block diagram.
The running environment detection method of android system that the present invention provides specifically includes following steps:
A. on any one address, perform to calculate the instruction of class, describe for convenience at this, therefore by named for this address address。
A1., on prototype, this instruction can be write on the special cache memory cache storing instruction;
A2. and in simulator, the instruction of this calculating class will be written directly on cache memory cache;
Because simulator is with regard to the cache memory cache of a monoblock, therefore directly it is referred to as cache memory Cache, it is not necessary to distinguish storage data and instruction.
B. a new instruction is write again to address above mentioned address;
B1. the new instruction on prototype can write the special cache memory cache storing data;
B2. simulator is then written directly on cache memory cache;
C. the instruction of address above mentioned $ address is performed.
The most now, on prototype, can be from the special cache memory cache reading instruction storing instruction, namely The oldest instruction of instruction of the first step can be performed.And simulator directly reading instruction from cache memory cache, can be performed The newest instruction of the instruction of two steps.So, we are that new instruction or old instruction are it may determine that work as according to the instruction results performed The environment of front operation is simulator or prototype.
Because prototype is different with the structure of the cache memory cache of simulator, therefore, the present invention provides The running environment detection method of android system, detects running environment by the architectural characteristic of cache memory cache Whether it is simulator.Specifically, any one address performs calculate the instruction of class, write a new finger to address above mentioned again Order, performs the instruction of address above mentioned, is first instruction or new instruction later judges that running environment is according to perform Prototype or simulator.If be carried out is first the oldest instruction of instruction, then it is prototype, if be carried out is second instruction I.e. new instruction, then be simulator.
Below by example, the present invention will be further described.
First following example are one section of codes of design, can again write an instruction to a specific address.Then by Performing one time in come back to original address, therefore the present embodiment realizes with a circulation, to one specifically again The code that location writes an instruction again is as follows:
__asm__volatile(
1"stmfd sp!,{r4-r8,lr}\n"
2 " mov r6, #0 n " be used for add up cycle-index, debug's
3 " mov r7, #0 n " for r7 compose initial value
4 " mov r8, pc n " 4,7 row are used for obtaining the address covering $ address " newly instruction "
5 " mov r4, #0 n " for r4 compose initial value
6 " add r7, #1 n " be used for covering " newly instruction " of $ address
7"ldr r5,[r8]\n"
8"code:\n"
9 " add r4, #1 n " here it is $ address, be that r4 is added 1
10 " mov r8, pc n " 10,11,12 row effect exactly the 9th row is write in the instruction of the 6th row
11"sub r8,#12\n"
12"str r5,[r8]\n"
13 " add r6, #1 n " r6 be used for count
14 " cmp r4, #10 n " control cycle-index
15"bge out\n"
16 " cmp r7, #10 n " control cycle-index
17"bge out\n"
18 " b code n " 10 interior circulations are recalled to
19"out:\n"
20 " mov r0, r4 n " using the value of r4 as return value
21"ldmfd sp!,{r4-r8,pc}\n"
);
According to code above, we can draw, r4 is if 10, then be just carried out is old instruction, is very On machine.If r4 is equal to 1, that is, perform new instruction, be on simulator.
But, can suffer a problem that here, some internal memory not authority is written and read performing, and needs to open up one section newly Memory headroom run the code that we write ourselves above.Solution is the mmap function in C language, the merit of this function Can may be employed to open up one section of new internal memory, and give new memory headroom readable writeable executable authority, compiling above Good machine code copies in this mmap function, and the initial address recalling the new internal memory that call function jumps to open up is come Perform code above;Can use following code segment:
void(*call)(void);// function pointer call
#define PROT PROT_EXEC | PROT_WRITE | PROT_READ//readable is writeable performs authority
#define FLAGS MAP_ANONYMOUS|MAP_FIXED|MAP_SHARED
Char code []=// we above the machine code of design code
"\xF0\x41\x2D\xE9\x00\x60\xA0\xE3\x00\x70\xA0\xE3\x0F\x80\xA0\xE1"
"\x00\x40\xA0\xE3\x01\x70\x87\xE2\x00\x50\x98\xE5\x01\x40\x84\xE2"
"\x0F\x80\xA0\xE1\x0C\x80\x48\xE2\x00\x50\x88\xE5\x01\x60\x86\xE2"
"\x0A\x00\x54\xE3\x02\x00\x00\xAA\x0A\x00\x57\xE3\x00\x00\x00\xAA"
"\xF5\xFF\xFF\xEA\x04\x00\xA0\xE1\xF0\x81\xBD\xE8";
Void*exec=mmap ((void*) 0x10000000, (size_t) 4096, PROT, FLAGS ,-1, (off_t) 0);// application space
memcpy(exec,code,sizeof(code)+1);
Call=(void*) exec;// initial address in application space is assigned to function pointer call
call();// call call execution code
In this section of function above, we have applied for one section of readable writeable executable new internal memory, then assembly code Machine code copy in internal memory, then call function pointer call and jump to the machine that the initial address of this block internal memory performs to replicate Device code.Then we take the value of r4 later.
__asm__volatile(
" mov%0, r0 n "
: "=r " (a)
:
:
);
R0, during namely the value of r4 is put into a variable.Then different values is returned according to the value of a the most permissible.Conveniently exist Judged result in application.On prototype, the result of test is it can be seen that the value of r4 is 10, and the result performed at simulator can be seen Value to r4 is 1, so perform is new instruction.
It should be noted that publicizing and implementing the purpose of example is that help is further appreciated by the present invention, but the skill of this area Art personnel are understood that various substitutions and modifications are all without departing from the present invention and spirit and scope of the appended claims Possible.Therefore, the present invention should not be limited to embodiment disclosure of that, and the scope of protection of present invention is with claim Book defines in the range of standard.

Claims (2)

1. a running environment detection method for android system, utilizes the characteristic of cache memory cache to detect and works as The running environment of front android system is Android simulator or Android prototype;Comprise the steps:
1) on the address of any one address, perform an instruction, be set to old instruction;
2) to address above mentioned address write a new instruction, described new instruction and step 1) described old instruct different;
3) instruction of address above mentioned $ address is again performed;
4) according to step 3) described instruction execution result, it is thus achieved that step 3) performed by instruction be described new instruction or described old Instruction;When step 3) performed by instruction be described old instruction, the running environment of current android system is prototype;Work as step 3) instruction performed by is described new instruction, and the running environment of current android system is Android analog machine.
2. the running environment detection method of android system as claimed in claim 1, is characterized in that, when to described address $ When address does not has authority to be written and read performing, use C language mmap method and call call function and realize to described The operation of the new instruction of address $ address write.
CN201610523168.XA 2016-07-05 2016-07-05 A kind of running environment detection method of android system Pending CN106201872A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610523168.XA CN106201872A (en) 2016-07-05 2016-07-05 A kind of running environment detection method of android system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610523168.XA CN106201872A (en) 2016-07-05 2016-07-05 A kind of running environment detection method of android system

Publications (1)

Publication Number Publication Date
CN106201872A true CN106201872A (en) 2016-12-07

Family

ID=57464842

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610523168.XA Pending CN106201872A (en) 2016-07-05 2016-07-05 A kind of running environment detection method of android system

Country Status (1)

Country Link
CN (1) CN106201872A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106648835A (en) * 2016-12-26 2017-05-10 武汉斗鱼网络科技有限公司 Method and system for detecting running of Android application program in Android simulator
CN107102886A (en) * 2017-04-14 2017-08-29 北京洋浦伟业科技发展有限公司 The detection method and device of Android simulator
CN107526628A (en) * 2017-09-30 2017-12-29 北京梆梆安全科技有限公司 With reference to bottom instruction and the simulator detection method and device of configuration information
CN107633170A (en) * 2017-09-30 2018-01-26 北京梆梆安全科技有限公司 A kind of Android simulator detection method and device of combination ardware feature and sensor
CN107678834A (en) * 2017-09-30 2018-02-09 北京梆梆安全科技有限公司 A kind of Android simulator detection method and device based on hardware configuration
CN107678833A (en) * 2017-09-30 2018-02-09 北京梆梆安全科技有限公司 Simulator detection method and device based on operation system information
CN107729121A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 Simulator detection method and device
CN107741907A (en) * 2017-09-30 2018-02-27 北京梆梆安全科技有限公司 With reference to bottom instruction and the simulator detection method and device of system information
CN107908952A (en) * 2017-10-25 2018-04-13 广州优视网络科技有限公司 Identify the method, apparatus and terminal of prototype and simulator
CN110196795A (en) * 2018-06-21 2019-09-03 腾讯科技(深圳)有限公司 Detect the method and relevant apparatus of mobile terminal application operating status
CN110245467A (en) * 2019-05-13 2019-09-17 西北大学 Android application program guard method based on Dex2C and LLVM
CN111367752A (en) * 2018-12-26 2020-07-03 卓望数码技术(深圳)有限公司 Method, device and storage medium for identifying Android real machine and simulator
CN111382416A (en) * 2018-12-27 2020-07-07 北京右划网络科技有限公司 Application program operation identification method and device, terminal equipment and storage medium
CN111736900A (en) * 2020-08-17 2020-10-02 广东省新一代通信与网络创新研究院 Parallel double-channel cache design method and device
CN112100615A (en) * 2020-09-11 2020-12-18 北京明略昭辉科技有限公司 Equipment identification method and device, storage medium and electronic equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6681321B1 (en) * 2000-04-20 2004-01-20 International Business Machines Corporation Method system and apparatus for instruction execution tracing with out of order processors
CN104461663A (en) * 2014-12-30 2015-03-25 北京奇虎科技有限公司 Method and device for loading other mobile terminal applications and mobile terminal

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6681321B1 (en) * 2000-04-20 2004-01-20 International Business Machines Corporation Method system and apparatus for instruction execution tracing with out of order processors
CN104461663A (en) * 2014-12-30 2015-03-25 北京奇虎科技有限公司 Method and device for loading other mobile terminal applications and mobile terminal

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LEONNEWTON: "利用cache特性检测Android模拟器", 《HTTP://WOOYUN.JOZXING.CC/STATIC/DROPS/TIPS-13245.HTML》 *
OMNISPACE: "利用cache特性检测Android模拟器", 《HTTP://BLOG.CSDN.NET/OMNISPACE/ARTICLE/DETAILS/50999165》 *

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106648835A (en) * 2016-12-26 2017-05-10 武汉斗鱼网络科技有限公司 Method and system for detecting running of Android application program in Android simulator
CN107102886A (en) * 2017-04-14 2017-08-29 北京洋浦伟业科技发展有限公司 The detection method and device of Android simulator
CN107526628A (en) * 2017-09-30 2017-12-29 北京梆梆安全科技有限公司 With reference to bottom instruction and the simulator detection method and device of configuration information
CN107633170A (en) * 2017-09-30 2018-01-26 北京梆梆安全科技有限公司 A kind of Android simulator detection method and device of combination ardware feature and sensor
CN107678834A (en) * 2017-09-30 2018-02-09 北京梆梆安全科技有限公司 A kind of Android simulator detection method and device based on hardware configuration
CN107678833A (en) * 2017-09-30 2018-02-09 北京梆梆安全科技有限公司 Simulator detection method and device based on operation system information
CN107729121A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 Simulator detection method and device
CN107741907A (en) * 2017-09-30 2018-02-27 北京梆梆安全科技有限公司 With reference to bottom instruction and the simulator detection method and device of system information
CN107908952B (en) * 2017-10-25 2021-04-02 阿里巴巴(中国)有限公司 Method and device for identifying real machine and simulator and terminal
CN107908952A (en) * 2017-10-25 2018-04-13 广州优视网络科技有限公司 Identify the method, apparatus and terminal of prototype and simulator
CN110196795A (en) * 2018-06-21 2019-09-03 腾讯科技(深圳)有限公司 Detect the method and relevant apparatus of mobile terminal application operating status
CN110196795B (en) * 2018-06-21 2022-03-04 腾讯科技(深圳)有限公司 Method and related device for detecting running state of mobile terminal application
CN111367752A (en) * 2018-12-26 2020-07-03 卓望数码技术(深圳)有限公司 Method, device and storage medium for identifying Android real machine and simulator
CN111367752B (en) * 2018-12-26 2023-08-01 卓望数码技术(深圳)有限公司 Method, device and storage medium for identifying Android true machine and simulator
CN111382416A (en) * 2018-12-27 2020-07-07 北京右划网络科技有限公司 Application program operation identification method and device, terminal equipment and storage medium
CN111382416B (en) * 2018-12-27 2022-09-30 北京右划网络科技有限公司 Application program operation identification method and device, terminal equipment and storage medium
CN110245467A (en) * 2019-05-13 2019-09-17 西北大学 Android application program guard method based on Dex2C and LLVM
CN110245467B (en) * 2019-05-13 2023-02-07 西北大学 Android application program protection method based on Dex2C and LLVM
CN111736900A (en) * 2020-08-17 2020-10-02 广东省新一代通信与网络创新研究院 Parallel double-channel cache design method and device
CN112100615A (en) * 2020-09-11 2020-12-18 北京明略昭辉科技有限公司 Equipment identification method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN106201872A (en) A kind of running environment detection method of android system
Cheng et al. ROPecker: A generic and practical approach for defending against ROP attack
Hebbal et al. Virtual machine introspection: Techniques and applications
Dautenhahn et al. Nested kernel: An operating system architecture for intra-kernel privilege separation
Wang et al. Numchecker: Detecting kernel control-flow modifying rootkits by using hardware performance counters
CN103064784B (en) Towards Xen environment run-time memory leakage detection method and realize system
JP2004517390A (en) Analysis virtual machine
CN103310152B (en) Kernel state Rootkit detection method based on system virtualization technology
CN103793651B (en) Based on the virtualized kernel integrity detection method of Xen
CN104715202A (en) Hidden process detecting method and hidden process detecting device in virtual machine
Deng et al. Introlib: Efficient and transparent library call introspection for malware forensics
CN106096455A (en) A kind of main frame kernel data reduction protection method
Yehuda et al. Hypervisor memory acquisition for ARM
Lee et al. Kernel-level rootkits features to train learning models against namespace attacks on containers
Wang et al. Making information hiding effective again
Zhan et al. A low-overhead kernel object monitoring approach for virtual machine introspection
Wang et al. Exploring efficient and robust virtual machine introspection techniques
Tian et al. A policy‐centric approach to protecting OS kernel from vulnerable LKMs
Mao et al. HVSM: An In-Out-VM security monitoring architecture in IAAS cloud
Gu et al. Gemini: Guest-transparent honey files via hypervisor-level access redirection
Zhan et al. Protecting critical files using target-based virtual machine introspection approach
Jin et al. Hardware control flow integrity
Pan et al. Lightweight and Efficient Hypervisor-Based Dynamic Binary Instrumentation and Analysis Method
Joy et al. A host based kernel level rootkit detection mechanism using clustering technique
Tian et al. KEcruiser: A novel control flow protection for kernel extensions

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20161207

RJ01 Rejection of invention patent application after publication